The EU Just Rewrote Its AI Rulebook: What the EU AI Act Omnibus and New Cybersecurity Plan Mean in 2026
The EU AI Act is changing — again. On June 29, 2026, the Council gave its final green light to simplify and streamline the rules, and on July 7 the European Commission unveiled a new action plan on cybersecurity and AI. Two big moves inside ten days.
Here’s the thing: Brussels spent five years building the world’s strictest AI law, and it’s now spending 2026 sanding down its sharpest edges. If your product touches Europe, the compliance map you drew last year is already out of date.
What Actually Changed in the EU AI Act?
The “AI Act Omnibus,” politically agreed on May 7, 2026 and now finalized, does four notable things. It clarifies existing requirements that companies found ambiguous. It extends compliance deadlines for high-risk AI systems, giving providers breathing room. It introduces new rules on AI-generated intimate content — including a ban on so-called “nudification” apps. And it dramatically widens SME relief: the simplified compliance framework now covers companies with up to 750 employees and €150 million in annual revenue, with reduced fines, sandbox access, and standardized documentation templates.
That last one is huge. 750 employees is not a small business by most definitions. A big slice of Europe’s mid-market just got a lighter rulebook.
Meanwhile, the transparency rules still land in August 2026. That deadline did not move. Chatbots must disclose they’re chatbots, deepfakes must be labeled, and AI-generated content needs machine-readable marking.
What This Means For You
If you’re a European AI startup or mid-sized firm, check the new SME thresholds first. If you’re under 750 employees and €150 million revenue, your documentation burden, fine exposure, and sandbox access all just improved. That’s real money and real time.
If you’re a US or Asian company selling into the EU, don’t misread “simplification” as retreat. The transparency obligations still hit in August 2026, and the Commission is standing up EU-wide AI model evaluation capacity — expected operational by 2027 — to assess advanced models before they reach the EU market. Third-party scrutiny is increasing, not decreasing.
Not everyone is celebrating, by the way. Amnesty International and other rights groups argue the simplification package rolls back digital rights protections that took years to win. And honestly, they have a point worth hearing: deadline extensions for high-risk systems mean real-world deployments run longer without full guardrails. The counterargument — that unworkable rules protect no one — is exactly the bet Brussels just made.
How to Prepare: Three Steps Before August 2026
First, audit your transparency surface. Every user-facing AI interaction, every generated image or video, every synthetic voice — label it and make the marking machine-readable. Second, re-check your risk classification under the amended rules; some high-risk timelines shifted, and your obligations may have moved with them. Third, if you qualify for the expanded SME framework, switch to the standardized documentation templates now rather than retrofitting later.
The July 7 cybersecurity action plan adds one more thread: coordinated EU support for member states and businesses facing risks from the most advanced AI models. Expect funding calls and evaluation infrastructure to follow through 2027.
Key Takeaways
- The Council finalized the EU AI Act Omnibus on June 29, 2026 — simplifying rules and extending high-risk compliance deadlines.
- Transparency rules still take effect in August 2026; that deadline did not move.
- SME relief now extends to companies with up to 750 employees and €150M revenue.
- “Nudification” apps are banned under new rules on AI-generated intimate content.
- A July 7 cybersecurity action plan and 2027 EU model-evaluation capacity signal more scrutiny of frontier AI, not less.
Is the EU finding the right balance between innovation and protection, or trading away hard-won rights for competitiveness? Share your take in the comments.